What is Magecart and was it behind the Ticketmaster and BA hacks? Credit: Sandeep Swarnkar

What is Magecart and was it behind the Ticketmaster and BA hacks?

The phenomenally damaging cyberattack on British Airways last week saw the haemorrhaging of information from over 385,000 transactions, credit card and personal details included.

As the dust settles and the company scrambles to carry out damage control, more information is emerging about the identity of the perpetrators - with notorious hacking group Magecart the prime suspect. 

Who is Magecart?

Cyber security firm, RiskIQ has released more details about the BA attack and linked it to Magecart, a hacker group specialising in skimming credit card details from unsecured payment forms on websites.

These ‘digital skimmers’ (that work through code inserted into websites) operate similarly to physical card skimmers that are sometimes inserted into ATMs to lift information from cards and transmit it back to hackers.

Read next: British Airways' summer of failure

These kinds of attacks are known as "cross-site scripting" and exploit weaknesses in the code of the payment processing pages, without necessarily comprising the victim site’s network or server. In the past, these have been targeted towards third party payment processors, but the attack targeted at British Airways was far more tailored to the company's particular infrastructure - boutique malware, if you will.

According to RiskIQ, this indicates a worrying development in the group’s abilities as it represents a considerable progression from the ‘generic scripts’ they've previously adopted.

To identify the attack, RiskIQ trawled through the unique scripts of BA’s website - the ones that would have been targeted in this type of attack - and tracked them until a change was visible - coinciding with the moment that the attack began.

Inserted into the code was 22 lines of code typical of these types of hacking operations. This recorded customer information and then transmitted it to the attackers' server when the customer pressed the submission button. The attack has been attributed to Magecart as the code used is a slightly adapted version of their trademark script.

Read next: How to respond to a security breach

Even more cunningly, the attackers paid for an SSL certificate for this server which helps to create the assumption of legitimacy because it means that web encryption is enabled and that data can be protected.

Although the exact details are still unknown, threat researcher Yonathan Klijnsma of RiskIQ said that the attack must have been sophisticated to remain undetected by BA for 15 days.

Magecart rampage: other attacks   

RiskIQ has linked the BA attack to the Ticketmaster breach which took place in June 2018, affecting 40,000 customers, suggesting it's likely that Magecart was also behind this. 

More recently, following the British Airways attack, push notification service, Feedify, has also reported finding the presence of Magecart malware on its site. This involved a Javascript library hosted by Feedify and used by a range of ecommerce sites.

Read next: The worst types of ransomware attacks

The code in question is typically embedded to allow customers to leave feedback on sites, however it had been tampered with to include Magecart malware, meaning the customers of a wide range of sites integrating the code could be at risk.

Reportedly, it's more or less the same script that was embedded into both BA and Ticketmaster sites. Feedify reported that this is the third time in a month that the code has had to be scrubbed, indicating a long-term, persistent attack from Magecart. This demonstrates the risk that companies take embedding third party code into their sites. 

IDG Insider

PREVIOUS ARTICLE

«Ray traced games won't launch with Nvidia's GeForce RTX graphics cards

NEXT ARTICLE

Confirmed: OnePlus 6T will lose the headphone jack»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Recommended for You

alex-cruickshank

Platform or publisher?

Tech Cynic – IT without the rose-tinted spectacles

martin-veitch-thumbnail

Mark Shuttleworth’s next mission: making private clouds affordable

Martin Veitch's inside track on today’s tech trends

dan2

GDPR-based extortion could be the next cybercrime trend

Dan Swinhoe casts a critical eye on the future

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should the government regulate Artificial Intelligence?